OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [saml-dev] SAML for Webservices

Thanks for the feedback Scott,

>This assumes the assertion comes with the message. The simple SAML model
>is more about how you ask an authority to send you an assertion, so it
>might presume that your service has authenticated the requester and then
>it asks an Authz Authority for this assertion with a query, specifying
>the resource and the authenticated user as the subject.

With regards to your comment above, if the client sends a SOAP request
to my WebService, then I could indeed authenticate him and make an
AuthorizationDecisionQuery for the resource using the SAML request-response

However, would it not be possible for the client himself to have made
the AuthorizationDecisionQuery to the Authz Authority, and then send
the Assertion inside the SOAP request? Is this a legitimate SAML scenario?

In this case my service would not need to make any queries, so what
exactly would it need to do?.......would the following be enough, or are
there other steps that need to be taken?

 1) Check the signature of the assertion (signed by the Authority)
 2) Check that the signature comes from a trusted authority
 3) Check that the "Resource" matches what the request is
    trying to access
 4) Check the "Decision" of the Authority (i.e is it "Permit")
 5) Check the validity of the "NotBefore" and "NotOnOrAfter"
    attributes of the "Conditions" element, if they are present

Again, I would appreciate any feedback on this,

Karl Nesbitt Ph.D.
Web services security
Ph:  + 353 1 215 3316
Fax: + 353 1 215 3334
Cranford Court
Dublin 4  Ireland

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC